locals { authentik_url = "http://authentik.${var.domain}-auth.svc" authentik_token = data.kubernetes_secret_v1.authentik.data["AUTHENTIK_BOOTSTRAP_TOKEN"] common_labels = { "vynil.solidite.fr/owner-name" = var.instance "vynil.solidite.fr/owner-namespace" = var.namespace "vynil.solidite.fr/owner-category" = var.category "vynil.solidite.fr/owner-component" = var.component "app.kubernetes.io/managed-by" = "vynil" "app.kubernetes.io/name" = var.component "app.kubernetes.io/instance" = var.instance } pvc_spec = merge({ "accessModes" = [var.storage.volume.accessMode] "volumeMode" = var.storage.volume.type "resources" = { "requests" = { "storage" = "${var.storage.volume.size}" } } }, var.storage.volume.class != "" ?{ "storageClassName" = var.storage.volume.class }:{}) } data "kubernetes_secret_v1" "authentik" { metadata { name = "authentik" namespace = "${var.domain}-auth" } } data "kustomization_overlay" "data" { namespace = var.namespace common_labels = local.common_labels resources = [for file in fileset(path.module, "*.yaml"): file if file != "index.yaml"] patches { target { kind = "Deployment" name = "woodpecker-agent" } patch = <<-EOF apiVersion: apps/v1 kind: Deployment metadata: name: woodpecker-agent labels: app.kubernetes.io/component: agent spec: replicas: 2 selector: matchLabels: app.kubernetes.io/component: agent template: metadata: labels: app.kubernetes.io/component: agent spec: serviceAccountName: woodpecker-agent containers: - name: agent image: "${var.images.agent.registry}/${var.images.agent.repository}:${var.images.agent.tag}" imagePullPolicy: "${var.images.agent.pull_policy}" command: ["/usr/local/bin/start.sh"] env: - name: WOODPECKER_BACKEND_K8S_NAMESPACE value: "${var.namespace}" - name: WOODPECKER_BACKEND_K8S_STORAGE_CLASS value: "${var.storage.volume.class}" - name: WOODPECKER_BACKEND_K8S_STORAGE_RWX value: "${var.storage.volume.accessMode=="ReadOnlyMany"?"true":"false"}" - name: WOODPECKER_BACKEND_K8S_VOLUME_SIZE value: "${var.storage.agent.size}" - name: WOODPECKER_SERVER value: "woodpecker-server.${var.namespace}.svc:9000" volumeMounts: - name: certs mountPath: /etc/local-ca readOnly: true - name: config mountPath: "/usr/local/bin/start.sh" subPath: "start.sh" volumes: - name: config configMap: name: "${var.instance}-${var.component}-agent-start" defaultMode: 0777 - name: certs secret: secretName: "${var.instance}-cert" defaultMode: 0444 EOF } patches { target { kind = "Service" name = "woodpecker-server" } patch = <<-EOF apiVersion: v1 kind: Service metadata: name: woodpecker-server labels: app.kubernetes.io/component: server spec: selector: app.kubernetes.io/name: ${var.component} app.kubernetes.io/instance: ${var.instance} app.kubernetes.io/component: server EOF } patches { target { kind = "Service" name = "woodpecker-server-headless" } patch = <<-EOF apiVersion: v1 kind: Service metadata: name: woodpecker-server-headless labels: app.kubernetes.io/component: server spec: selector: app.kubernetes.io/name: ${var.component} app.kubernetes.io/instance: ${var.instance} app.kubernetes.io/component: server EOF } patches { target { kind = "RoleBinding" name = "woodpecker-agent" } patch = <<-EOF apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: woodpecker-agent subjects: - kind: ServiceAccount name: woodpecker-agent namespace: ${var.namespace} EOF } patches { target { kind = "StatefulSet" name = "woodpecker-server" } patch = <<-EOF apiVersion: apps/v1 kind: StatefulSet metadata: name: woodpecker-server labels: app.kubernetes.io/component: server spec: selector: matchLabels: app.kubernetes.io/name: ${var.component} app.kubernetes.io/instance: ${var.instance} app.kubernetes.io/component: server template: metadata: labels: app.kubernetes.io/name: ${var.component} app.kubernetes.io/instance: ${var.instance} app.kubernetes.io/component: server spec: containers: - name: server image: "${var.images.server.registry}/${var.images.server.repository}:${var.images.server.tag}" imagePullPolicy: "${var.images.server.pull_policy}" command: ["/usr/local/bin/start.sh"] env: - name: WOODPECKER_ADMIN value: "${var.admin-users}" - name: WOODPECKER_HOST value: "https://${var.sub_domain}.${var.domain_name}" - name: WOODPECKER_HOST value: "https://${var.sub_domain}.${var.domain_name}" envFrom: - secretRef: name: woodpecker-secret - secretRef: name: "${var.instance}-${var.component}-gitea" - configMapRef: name: "${var.instance}-${var.component}-server" volumeMounts: - name: certs mountPath: /etc/local-ca readOnly: true - name: config mountPath: "/usr/local/bin/start.sh" subPath: "start.sh" volumes: - name: config configMap: name: "${var.instance}-${var.component}-server-start" defaultMode: 0777 - name: certs secret: secretName: "${var.instance}-cert" defaultMode: 0444 volumeClaimTemplates: - metadata: name: data spec: ${jsonencode(local.pvc_spec)} EOF } }